Burp suite allows pentesters to set session-management rules. It is possible to set up session-management rule via Macro. Here we will try to create a Macro for automating the process of capturing CSRF tokens. Then we will try to validate it via repeater and browser tab.

Anti-CSRF tokens are randomly generated tokens that are associated with the user’s current session. They are contained within HTML forms and links associated with sensitive server-side operations. An anti-CSRF token should be included in the request when users perform sensitive operations (e.g. banking transfer). The server should verify the existence and authenticity of this token before processing the request. If the token is missing or incorrect, the request will be denied.

We will use this method to automate login authentication in DVWA which uses CSRF token in the POST login request.

How To Do It:

1. Default DVWA login page on localhost, setup is done via:

docker run — — rm -it -p 80:80 vulnerable/web-dvwa

2. Add localhost in the Burp suite scope.

3. After login out when the application redirected to http://localhost/login.php , the token is present in the response body.

4. Switch to the proxy history tab and identify the request which is having a CSRF token in the response.

5. Visit the Project Options tab > then the Sessions tab.

6. In the session handling rule, click on Add (Ignore pre-created rules.)

7. Then change the Rule Description and In the rule action. Select Run a macro.

8. The Macro Recorder opens up, Select the http://localhost/login.php request with length 1860 bytes. Click ok.

This page comes after the user logs out. On clicking the logout button, user is redirected to login.php with CSRF token in the body. This is described in step 3.

9. In the Macro editor, enter the Macro Description and click on Configure Item .

10. In the Configure Macro item, Click on add.

11. We know that parameter used in the user_token for CSRF. Let’s quickly validate via proxy history.

12. From step 10, Select the parameter value for user_token which is automatically selected in the Burp Suite.

13. Now click ok and save it. The Macro Editor window will open up.

14. In the Macro Editor, add the Macro Descriptionthen select ok.

15. Then in the Session handling rule editor, change the tab to Scope. Select the scope and URL scope accordingly.

17. Macro for CSRF handling has been created. Save ok, let’s test this macro.

18. Send the login.php request to the repeater and check the user token value.

19. Now resend the request and compare the value from the previous request. Both values are different.

This validates that the Macro is working fine and we can use it in the next tutorial.

How it Works:

Here, the Anti-csrf token is changed to a different value by replaying the request in the repeater. This allows to bypass the CSRF token mechanism automatically and provides flexibility while automated scanning via Burp suite.

It works by capturing the user_token value and then running the Macro by replacing old CSRF token with the new value captured .

Reference:

1. https://www.youtube.com/watch?v=LsMZnpUIFZI&list=PLDlltT2o4UZCrWiWx4cEzk8D7YhCAFX4T&index=10
2. https://portswigger.net/support/using-burp-suites-session-handling-rules-with-anti-csrf-tokens
3. https://www.packtpub.com/product/burp-suite-cookbook/9781789531732

The next Burp Suite macro tutorial will guide you through automating the login process.